Re: iptable: --seconds
Sorry for the late reply, I only saw this msg. now...
Gerhard Kroder (gerhard.kroder@t-online.de) wrote on 4 December 2005 23:07:
>i want to stop sshd account testing by scripties witht the
>followoing iptables/bash script, but it won't do what i thougt. On
>a sarge test host with 2 aliased nic (eth0:1 and eth0:2), this
>script loads correctly, it drops connections with --hitcount 3
>correctly (client gets timeout, sshd gets no connection/log), but
>doesn't get back for login after --seconds 120. No error or logging,
>only "Connection timed out" when i try to ssh into that aliased
>interfaces. login on eth0 always works ok.
>
>
><---cut--->
>#!/bin/bash
>IPT=/sbin/iptables
>
>#OPT="--verbose"
>OPT=""
>
>## ip's changed
>ip_if1=192.168.10.11
>ip_if2=192.168.10.12
>
>## just for testing: flush old rules
>$IPT --flush
>
>## call ipt for all hostst in list
>for ip in $ip_if1 $ip_if2
>do
>$IPT $OPT -A INPUT -p tcp --dport 22 -i eth0 -d $ip -m state --state NEW -m recent --set
>$IPT $OPT -A INPUT -p tcp --dport 22 -i eth0 -d $ip -m state --state NEW -m recent --update --seconds 120 --hitcount 3 -j LOG
>$IPT $OPT -A INPUT -p tcp --dport 22 -i eth0 -d $ip -m state --state NEW -m recent --update --seconds 120 --hitcount 3 -j DROP
>done
Perhaps you could try this:
$ipt -A FORWARD -i $ethEXT -p tcp --syn -m state --state NEW -d $sshserv --dport 22 -m recent --name ssh --set
$ipt -A FORWARD -i $ethEXT -p tcp --syn -m state --state NEW -d $sshserv --dport 22 -m recent --name ssh --rcheck --seconds 60 --hitcount 6 -j limitassh
and in the limitassh queue:
$ipt -A limitassh -j LOG --log-prefix "limitassh: "
$ipt -A limitassh -j DROP
I used another queue to avoid checking twice in a time-dependent rule.
Reply to: